Xorist
Xorist is a ransomware family from 2010 that runs on Microsoft Windows. It is aimed at Russian-speaking and English-speaking users. Xorist variants are created by using a ransomware builder that makes it easy for script kiddies to create a custom version of this ransomware threat quickly. The ease with which Xorist variants can be customized makes it difficult for PC security researchers to offer solutions, since there are countless variants of this threat, using different encrypted file extensions, encryption, ransom messages. Payload Transmission Xorist is possibly distributed by hacking through an insecure RDP configuration, using email spam and malicious attachments, fraudulent downloads, exploits, web injects, fake updates, repackaged and infected installers. Infection Xorist's default extension is .EnCiPhErEd. The default ransom note associated with the Xorist Ransomware is named HOW TO DECRYPT FILES.txt and includes the following text: Attention! All your files are encrypted! To restore your files and access them, please send an SMS with the text XXXX to YYYY number. You have N attempts to enter the code. When that number has been exceeded, all the data irreversibly is destroyed. Be careful when you enter the code! By default, Xorist variants will target the following extensions (more may be added to the list): ''.zip, .rar, .7z, .tar, .gzip, .jpg, .jpeg, '' .psd, .cdr, .dwg, .max, .bmp, .gif, .png, .doc, .docx, .xls, .xlsx, .ppt, .pptx, .txt, .pdf, .djvu, .htm, .html, .mdb, .cer, .p12, .pfx, .kwm, .pwm, .1cd, .md, .mdf, .dbf, .odt, .vob, .ifo, .lnk, .torrent, .mov, .m2v, .3gp, .mpeg, .mpg, .flv, .avi, .mp4, .wmv, .divx, .mkv, .mp3, .wav, .flac, .ape, .wma, .ac3. Removal Emsisoft created a decrypter for it. Kaspersky has also created a decryptor for it. Variants * XRat: It was discovered on August 2016. It has been targeting Portuguese computer users by encrypting files with RSA-2048 encoding system and hiding the decryption key. Malware appends .C0rp0r@c@0Xr@ file extension to the encrypted data, and delivers a ransom note “Como descriptografar seus arquivos.txt.” Victims are told to contact authors of this virus via corporacaoxrat@protonmail.com email address and learn how to obtain the decryptor. * XPan: It emerged in September 2016. It uses AES-256 encryption and appends either .____xratteamLucked and .one file extensions. The unique feature of the ransomware is that after infiltration it check the default language of the computer. The ransom-demanding message does not inform how much Bitcoins victims have to transfer. However, some people claim that they were asked to pay 0.3 BTC. * Zixer2: It uses Tiny Encryption Algorithm and appends .zixer2 file extension. Following data encryption, it delivers a ransom note in HOW TO DECRYPT FILES.TXT file. Here victims are asked to contact cybercriminals via datares@india.com email address. It’s unknown how much money crooks ask in exchange for the decryption key. * Imme: It uses XOR encryption algorithm and is appending .imme or .imme.teras.completecrypt file extensions to the target data. In the ransom note, hackers are demanding 2 Bitcoins which should be paid within 72 hours. The threatening message also reveals unique user’s ID that victims have to send supfiles@inbox.im or supfiles@gmx.com as soon as they pay the ransom. * AvastVirusinfo: It is a variant that aims at Russian-speaking computer users. It has its own entry. * Crypto1CoinBlocker: It uses RSA-2048 cryptography to encode files on the affected computer. When all data is encrypted, ransomware delivers a pop-up window with a ransom-demanding message. The same data recovery instructions are provided in the HOW TO DECRYPT FILES.txt file too. Cybercriminals ask to transfer 1 Bitcoin to the provided wallet address. What is interesting, that Bitcoin wallet address is the same as the appended file extension – .1AcTiv7HDn82LmJHaUfqx9KGG55P9jCMyy. * Hello: It emerged in August 2017. Malware spreads and is executed from the iji.exe file. Once this file is run on the system, it starts scanning the system and looking for the targeted files. To all of the encrypted data it appends .HELLO file extension. The virus also delivers a pop-up window informing about encrypted data. It also installs a ransom note called HOW TO DECRYPT FILES.txt where victims are asked to transfer 0.05 BTC to the provided address. Users are given 12 hours to complete this task. After the deadline, the price will double. After 24 hours, corrupted files are said to be deleted. * Cerber_RansomWare@qq.com: This variant pretends to be Cerber. It is still capable of encoding users' files, appending .cerber_RansomWare@qq.com extension and demanding ransom. * Cryptedx: It encrypts files appending the .cryptedx file extension. * Frozen: It was detected at the beginning of February 2018. According to the latest reports, the ransomware is very similar to its predecessors. It uses XOR file encryption algorithm and creates a HOW TO DECRYPT FILES.txt ransom note. Currently, the file extension appended to the encrypted files is not known. Frozen is asking 0.5 BTC ransom, which is currently equal to 3400 USD. Extortionists claim that all locked files will be removed from the server within 34 hours after the encryption. In comparison to its predecessor's communication method, this version has switched from the SMS to email, so people who opt for a unique decryption code has to send a code to frozen_service_security@scryptmail.com. Based on the prevalence of the virus, it's oriented toward English-speaking countries. * XWZ: It was detected in the second half of March 2018 by a group of ransomware researchers. This variant uses XOR encryption algorithm to render personal victim's files useless. XWZ is capable of attacking 111 file types. Upon successful unravel of ransomware payload, most of the files on the infected PC get a .xwz file extension. The virus manifests a ransom note in the form of a text file READ ME FOR DECRYPT.txt. The ransomware is oriented to English-speaking users since it's not translated into any other language: All your files are encrypted using an unknown algorithm! Do not try decrypt manualy! You can destroy your files!! To decrypt, please contact us BlackStarMafia@qq.com Your personal ID: IN1O-2OYU-O98O-K1JJ How to buy Bitcoins? https://blockchain.info/ru/wallet/how-to-get-bitcoins Just like its other versions, the virus circulates on the Internet with the help of various social engineering strategies. However, malspam campaigns are considered the most active techniques to promote this malware. It can attack PCs via unprotected RDP configuration, drive-by-download attacks, fake software updates, and similar stealthy methods. * CryptoTorLocker: It is a well known xorist variant, it has it's own entry. * MCrypt2019: It is a variant of xorist that appends ".exe" to encrypted files, it also drops a html ransom note. If the user were to be able to decrypt this variant, it would destroy the exe extension in the registry even more. Category:Win32 ransomware Category:Ransomware Category:Win32 trojan Category:Win32 Category:Microsoft Windows Category:Trojan